Difference between revisions of "Dovecot"
(No need to restart dovecot after certificates) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | {{DISPLAYTITLE:Dovecot installation guide}} | ||
+ | |||
+ | == Prerequisite == | ||
+ | You will need to have setup [[Let’s Encrypt]] before going to this guide. | ||
+ | |||
== Install == | == Install == | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
− | + | $ sudo apt install dovecot-imapd dovecot-managesieved | |
</syntaxhighlight> | </syntaxhighlight> | ||
Line 10: | Line 15: | ||
User vmail will be used to store mail related data | User vmail will be used to store mail related data | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
− | + | $ sudo adduser --system --home /var/vmail/ --uid 800 --group vmail | |
Adding system user `vmail' (UID 800) ... | Adding system user `vmail' (UID 800) ... | ||
Adding new group `vmail' (GID 800) ... | Adding new group `vmail' (GID 800) ... | ||
Line 36: | Line 41: | ||
#!include auth-static.conf.ext | #!include auth-static.conf.ext | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
Edit file <code>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</code> and set option <code>default_fields</code> | Edit file <code>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</code> and set option <code>default_fields</code> | ||
Line 62: | Line 66: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
Create file <code>/etc/dovecot/users</code> | Create file <code>/etc/dovecot/users</code> | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
− | + | $ sudo touch /etc/dovecot/users | |
− | + | $ sudo chmod 640 /etc/dovecot/users | |
− | + | $ sudo chown root:dovecot /etc/dovecot/users | |
</syntaxhighlight> | </syntaxhighlight> | ||
Line 94: | Line 97: | ||
mail_location = mdbox:~/mdbox | mail_location = mdbox:~/mdbox | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | === Sieve === | ||
+ | |||
+ | ==== Enable ==== | ||
+ | To enable sieve filters during mail delivery, edit file <code>/etc/dovecot/conf.d/15-lda.conf</code> and uncomment/modify the following lines<syntaxhighlight lang="sh"> | ||
+ | protocol lda { | ||
+ | # Space separated list of plugins to load (default is global mail_plugins). | ||
+ | mail_plugins = $mail_plugins sieve | ||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==== ManageSieve ==== | ||
+ | The manageSieve allows you mail client to set and modify the sieve scripts on your server. To enable it, uncomment/modify the following lines in <code>/etc/dovecot/conf.d/20-managesieve.conf</code><syntaxhighlight lang="sh"> | ||
+ | protocols = $protocols sieve | ||
+ | |||
+ | service managesieve-login { | ||
+ | inet_listener sieve { | ||
+ | port = 4190 | ||
+ | } | ||
+ | } | ||
+ | </syntaxhighlight>If you change default port, don't forget to change it in the firewall configuration bellow. | ||
+ | |||
+ | === Firewall === | ||
+ | You will need to open 2 ports in your firewall: | ||
+ | * <code>993</code> for imap | ||
+ | * <code>4190</code> for managesieve (if enabled above) | ||
+ | {{nftables/config|category = Dovecot|tcp_port_out = |udp_port_out = |user_out = |tcp_port_in = 993, 4190|udp_port_in = }} | ||
=== TLS === | === TLS === | ||
Line 99: | Line 129: | ||
==== Generate Certificate ==== | ==== Generate Certificate ==== | ||
− | This part assume that you've setup [ | + | This part assume that you've setup [[Let’s Encrypt]]. |
Add your domain to <code>/etc/nginx/sites-available/noweb</code> | Add your domain to <code>/etc/nginx/sites-available/noweb</code> | ||
Line 106: | Line 136: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | Add your new certificate to <code>/usr/local/ | + | Add your new certificate to <code>/usr/local/etc/certmanage/main.json</code> |
<syntaxhighlight lang="python"> | <syntaxhighlight lang="python"> | ||
{ | { | ||
− | 'domains': ['imap.example.org' | + | 'domains': ['imap.example.org'] |
− | |||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
And finally generate the certificate | And finally generate the certificate | ||
− | + | {{Let’s Encrypt/New Cert Command|domain = imap.example.org |beforeCommand=$ sudo systemctl reload nginx}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==== Configure ==== | ==== Configure ==== | ||
Line 155: | Line 164: | ||
# SSL protocols to use | # SSL protocols to use | ||
− | ssl_protocols = | + | ssl_protocols = TLSv1.2 |
# SSL ciphers to use | # SSL ciphers to use | ||
− | ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH | + | ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED |
# Prefer the server's order of ciphers over client's. | # Prefer the server's order of ciphers over client's. | ||
ssl_prefer_server_ciphers = yes | ssl_prefer_server_ciphers = yes | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Limits === | ||
+ | By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit. | ||
+ | |||
+ | On a server with few users, it is safe to raise the limit. To do so, edit <code>mail_max_userip_connections</code> in file <code>/etc/dovecot/conf.d/20-imap.conf</code><syntaxhighlight lang="sh"> | ||
+ | protocol imap { | ||
+ | ... | ||
+ | |||
+ | # Maximum number of IMAP connections allowed for a user from each IP address. | ||
+ | # NOTE: The username is compared case-sensitively. | ||
+ | mail_max_userip_connections = 100 | ||
+ | |||
+ | ... | ||
+ | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 175: | Line 199: | ||
[[Category:Fail2Ban]] | [[Category:Fail2Ban]] | ||
[[Category:Linux Server]] | [[Category:Linux Server]] | ||
+ | [[Category:nftables]] |
Latest revision as of 09:45, 2 April 2017
Prerequisite
You will need to have setup Let’s Encrypt before going to this guide.
Install
$ sudo apt install dovecot-imapd dovecot-managesieved
Configuration
Create System User
User vmail will be used to store mail related data
$ sudo adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...
If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.
Authentication
Activate
Edit file /etc/dovecot/conf.d/10-auth.conf
and make sure the only included authentication mechanism is passwdfile.
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext
and set option default_fields
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
# Default fields that can be overridden by passwd-file
#default_fields = quota_rule=*:storage=1G
default_fields = uid=vmail gid=vmail home=/var/vmail/%u
# Override fields from passwd-file
#override_fields = home=/home/virtual/%u
}
Create file /etc/dovecot/users
$ sudo touch /etc/dovecot/users
$ sudo chmod 640 /etc/dovecot/users
$ sudo chown root:dovecot /etc/dovecot/users
Add a User
First generate an encrypted password for the user
$ doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1
Now add a line to /etc/dovecot/users
# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT
jdoe:{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1::::::
Mail Storage
Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf
mail_location = mdbox:~/mdbox
Sieve
Enable
To enable sieve filters during mail delivery, edit file /etc/dovecot/conf.d/15-lda.conf
and uncomment/modify the following lines
protocol lda {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}
ManageSieve
The manageSieve allows you mail client to set and modify the sieve scripts on your server. To enable it, uncomment/modify the following lines in /etc/dovecot/conf.d/20-managesieve.conf
protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
If you change default port, don't forget to change it in the firewall configuration bellow.
Firewall
You will need to open 2 ports in your firewall:
993
for imap4190
for managesieve (if enabled above)
Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf
and add
# Dovecot
add element inet main tcp_port_in { 993, 4190 }
and activate it using
$ sudo /etc/nftables/reload_main.conf
TLS
Generate Certificate
This part assume that you've setup Let’s Encrypt.
Add your domain to /etc/nginx/sites-available/noweb
server_name imap.example.org;
Add your new certificate to /usr/local/etc/certmanage/main.json
{
'domains': ['imap.example.org']
}
And finally generate the certificate
$ sudo systemctl reload nginx
$ sudo /usr/local/sbin/certmanage
Renewing certificate for imap.example.org that will expire on 0001-01-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imap.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/imap.example.org/fullchain.pem. Your cert
will expire on 2025-03-03. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Configure
Edit file /etc/dovecot/conf.d/10-ssl.conf
and change the following settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem
# DH parameters length to use.
ssl_dh_parameters_length = 2048
# SSL protocols to use
ssl_protocols = TLSv1.2
# SSL ciphers to use
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
Limits
By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit.
On a server with few users, it is safe to raise the limit. To do so, edit mail_max_userip_connections
in file /etc/dovecot/conf.d/20-imap.conf
protocol imap {
...
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 100
...
}
Fail2Ban
Create file /etc/fail2ban/jail.d/dovecot.conf
with the following content
[dovecot]
enabled = true